The REvil group is back, this time encrypting more than one million systems and demanding a $70,000,000 Bitcoin payment to free the “universal Decryptor” that will unlock all encrypted files on any affected system.
According to estimates, there are around 200 companies that were affected. Forty of these were targeted by Kaseya (a managed service provider (MSP), believed to be at the center of the attack on the supply chain.
REvil Group Demands $70 Million Bitcoin Payment for Decryptor
Reports of another ransomware attack spread across the internet late on July 2, 2021. Around 30 MSPs were affected, affecting hundreds and theoretically millions of computers.
The ransomware attack was quickly discovered to be the work of the REvil crime syndicate. They demanded ransoms up to $50,000 to unlock individual systems. Larger decryption keys for companies were offered for $5 million. All payments were made in Bitcoin.
On Sunday, July 4, 2021, a REvil dark site update revealed that the criminal group would provide a universal decryption code to all affected businesses and organizations–for an excellent fee of $70million.
REvil Hits 200 Businesses in Supply Chain Attack
A BBC report claims that ransomware has infected around 200 US-based businesses. However, the knock-on effects of the attack have been far more significant. The nature of a supply-chain attack means that the first victim often becomes a stepping stone to secondary victims. This is why the REvil ransomware attack had multiple victims.
500 Coop supermarkets in Sweden were closed, as well as 11 schools in New Zealand. Numerous other minor incidents occurred around the world. Fred Voccola of Kaseya, CEO, stated that the primary victims would be “dental offices, architecture firms, and plastic surgery centers, libraries, and other such things.”
There may be more victims. But, unfortunately, many of them are not yet reporting or disclosing the ransomware breach.
Dutch Security Researchers Reported Kaseya Zero-Day Vulnerability
Security researchers from the Dutch Institute for Vulnerability Disclosure disclosed that they had previously contacted Kaseya regarding several zero-day vulnerabilities. As a result, they were tracked under CVE-2021-30116 under responsible disclosure guidelines.
Kayes was assisted by researchers who “provided our input and helped them deal with it.” They also provided customer IDs and IP addresses of customers who had not yet responded to Kayes. These were quickly contacted by telephone.
The most important thing is that Kayesa was aware of the danger before the REvil ransomware struck, which could pose a problem in the post-mortem process for many of the companies affected.